## Unwinding Forward Correctability (1994)

Venue: | In Proceedings of the Computer Security Foundations Workshop |

Citations: | 13 - 0 self |

### BibTeX

@INPROCEEDINGS{Millen94unwindingforward,

author = {Jonathan Millen},

title = {Unwinding Forward Correctability},

booktitle = {In Proceedings of the Computer Security Foundations Workshop},

year = {1994},

pages = {2--10},

publisher = {IEEE}

}

### OpenURL

### Abstract

A state-machine formulation is given for forward correctability in event systems, to provide a type of unwinding result for this information ow security property. We show also how regular expression notation provides an easy mechanical tool for verifying forward correctability for small systems, which is necessary for the eective presentation of examples and exercises.

### Citations

3501 | Communicating Sequential Processes
- Hoare
- 1985
(Show Context)
Citation Context ... up a system call into input, internal, and output events, and which have a general way of expressing legal sequences of events. One of the earliest and most in uential of these models is Hoare's CSP =-=[Hoa85]-=-, and some work has been done to express noninterference in the context of CSP and related models [Fol87, Gra93]. We will use the event system model introduced by McCullough [McC88a]. Event systems ar... |

746 |
Security policies and security models
- Goguen, Meseguer
- 1982
(Show Context)
Citation Context ...o the design of particular covert channel analysis techniques and software tools. In the early 1980's came non-interference, originating at SRI as a theoretical foundation for the HDM/Specialsow tool =-=[GoMe82]-=-; it was actually a generalization of an earlier SRI model [FLR77]. Based on an abstract state-transition machine model, non-interference was an elegant concept that spawned many interpretations and s... |

219 | Derivatives of regular expressions
- Brzozowski
- 1964
(Show Context)
Citation Context ...ation for it. 2.1.3 Denition: / If q E is a set of event sequences, and 2 E ; q= = f j 2 qg: In CSP, q= is called \q after ." For regular expressions, this is the Brzozowski derivative [Brz64]. It strips o all elements of q that had as a prex, leaving the tails. The derivative operation has some obvious elementary properties which we will use without proof, such as (q=)= = q=(): ... |

157 |
Unwinding and inference control
- Goguen, Meseguer
- 1984
(Show Context)
Citation Context ...al advance that assisted in such applications was the \unwinding theorem," which permits a noninterference policy to be expressed equivalently as a test on transition specications rather than tra=-=ces [GoMe84-=-]. A particularly lucid rephrasing of that result was given by Rushby [Rus85]. Noninterference as originally dened applies only to deterministic systems. Other informationsow models were introduced fo... |

121 |
A model of information
- Sutherland
- 1986
(Show Context)
Citation Context ...elf can be seen as special cases of an informationtheoretic inter-pretation [Mil87], although they can be expressed more directly using Sutherland's nondeducibility, a functional independence concept =-=[Sut86]. A signi-=-cant advance in the nondeterministic /combinatoric branch of model development was McCullough's \hookup" security, later called \restrictiveness. " Extending noninterference to a nondetermin... |

91 |
Noninterference and the composability of security properties
- McCullough
- 1988
(Show Context)
Citation Context ...are outputs. Thus, E = fbg and I = fag. Let q = (a + ab + c) again. Then (q) = ((a + ab + c) \ (E - fag) )jfbg = c jfbg = = . 2.2.2 A Small Example Two small example systems appeared in [McC88b], called A and B, to illustrate the non-composability of a strawman generalization of noninterference. Those systems have some interesting properties with respect to the denitions we have given: (1) ... |

90 |
Toward a mathematical foundation for information flow security. sp
- Gray
- 1991
(Show Context)
Citation Context ...abilistic and combinatoric, depending on whether probability distributions are assumed known for the system 's nondeterministic choices. A discussion of probabilistic noninterference is given by Gray =-=[Gry92-=-]. The corresponding denitions of informationsow can be related to Shannon's classical information theory. Even the combinatoric models and noninterference itself can be seen as special cases of an in... |

75 |
Covert channel capacity
- Millen
- 1987
(Show Context)
Citation Context ...nformationsow can be related to Shannon's classical information theory. Even the combinatoric models and noninterference itself can be seen as special cases of an informationtheoretic inter-pretation =-=[Mil87-=-], although they can be expressed more directly using Sutherland's nondeducibility, a functional independence concept [Sut86]. A signicant advance in the nondeterministic /combinatoric branch of model... |

48 |
Algebraic Theory of Automata
- Ginzburg
- 1969
(Show Context)
Citation Context ...et of each state. State expressions are generated by noting that, since 2 q for each state q, q = +fe(q=e)je 2 Eg and reading q=e o the state graph. This is a standard technique found in, e.g., [Gin68]. Let q i be the state numbered i in the graph. We have: q 0 = + (x + a + b)q 1 + cq 2 q 1 = + (x + a + b)q 0 + cq 3 q 2 = + (x + b)q 2 + 0A q 4 q 3 = + (x + b)q 3 + 1A q 4 q 4 = + (x + b)q ... |

46 | Proving Noninterference and Functional Correctness Using Traces
- McLean
- 1992
(Show Context)
Citation Context ...gher-level formal specication of it. Both noninterference and nondeducibility are stated in terms of traces. While some systems may be specied directly in terms of their possible traces (see, e.g., [M=-=cL92]-=-), program code and many other formal speci cation approaches assume a state-transition model, and specify individual state transitions. It is helpful, therefore, to express a security property as a c... |

32 | Security Kernel Validation in Practice - See, Millen - 1976 |

31 |
Security and the composition of machines
- Johnson, Thayer
- 1988
(Show Context)
Citation Context ...nson and Thayer discovered a security condition that was similar to restrictiveness and retained its essential properties, namely that it is at least as strong as nondeducibility and it is composable =-=[JoTh8-=-8]. But their security condition, called forward correctability, was an improvement because it was weaker i.e., it was satised by more systems. Like the original form of restrictiveness, it was dened ... |

23 | A universal theory of information flow - Foley - 1987 |

23 |
Hookup Security for Synchronous Machines
- Millen
- 1990
(Show Context)
Citation Context ...eded, and lacked, an unwinding theorem. Although an approximately equivalent version of it was given for state machines, restrictiveness did not have a satisfactory unwinding result. It was argued in =-=[Mil90-=-] that a useful denition of information security should be at least as strong as nondeducibility on inputs (nondeducibility of higherlevel inputs from low-level observations), and it also should be co... |

17 |
An Experience of Using Two Covert Channel Analysis Techniques
- Haigh, Kemmerer, et al.
- 1987
(Show Context)
Citation Context ...lies both access control and covert channel analysis, and does not distinguish between them. It has been applied as a security analysis technique to formal specications of an operating system kernel [=-=HKMY87]. An-=- important theoretical advance that assisted in such applications was the \unwinding theorem," which permits a noninterference policy to be expressed equivalently as a test on transition specicat... |

7 |
Proving multilevel security of a system design
- Feiertag, Levitt, et al.
- 1977
(Show Context)
Citation Context ...oftware tools. In the early 1980's came non-interference, originating at SRI as a theoretical foundation for the HDM/Specialsow tool [GoMe82]; it was actually a generalization of an earlier SRI model =-=[FLR77]-=-. Based on an abstract state-transition machine model, non-interference was an elegant concept that spawned many interpretations and subsequent advances. The theory is deep enough so that it underlies... |

6 |
The SRI Security Model
- Rushby
- 1994
(Show Context)
Citation Context ...ich permits a noninterference policy to be expressed equivalently as a test on transition specications rather than traces [GoMe84]. A particularly lucid rephrasing of that result was given by Rushby [=-=Rus85-=-]. Noninterference as originally dened applies only to deterministic systems. Other informationsow models were introduced for application to systems that were not adequately represented by the determi... |

5 | Denning: A lattice model of secure information flow - E - 1976 |

5 | Laws of non-interference in CSP - Graham-Cumming - 1993 |

1 |
The Theory of Security in Ulysses," Odyssey Research Associates
- McCullough
- 1988
(Show Context)
Citation Context ...els is Hoare's CSP [Hoa85], and some work has been done to express noninterference in the context of CSP and related models [Fol87, Gra93]. We will use the event system model introduced by McCullough =-=[McC88a]-=-. Event systems are expressible in CSP, but they are simpler conceptually, they can be described without the trappings of the CSP algebra, and the results we wish to extend here were presented in an e... |